It will be implemented using a mobile authenticator app. SMS is not secure enough and, in many countries, it’s not always easy to set up. Anyway, stay tuned.

We had a reason to implement it this way. In one of the next releases, it will be implemented in a more convenient way, without involving other accounts.

Why did you choose this approach? I’ll mean in most cases there is only one account for a WordPress instance… and administrators should be the most secure account. Now in my case, I’ll need to make a different account just for this purpose and then remove it again. Would be better if you make a change to this that administrators could do this by default and maybe work with backup codes for lockouts.

All API keys have to be stored in an unencrypted form because it’s their nature. Please, post Cloudflare-related questions on this page: https://wpcerber.com/cloudflare-add-on-wp-cerber/

Greg, I have verified that the Cloudflare Global API Key is in the clear within the database. under the default WordPress Options Table. This is like a password, it should be hashed and obscured as much as possible. If I can go from email to admin login and dump the database, the connected Cloudflare account becomes entirely exposed. L

I suggest this CloudFlare article where they describe the criticality of this themselves. You.must protect this key by all means necessary.

https://blog.cloudflare.com/keeping-our-users-safe/

When it comes to WordPress, email is one of the best channels. Why? Because you should consider ALL aspects and advantages of using email in the context of 2FA for WordPress. Email is free, it’s easy to manage, it’s a native part of customer mobile devices and WordPress itself, it has no issues with privacy or GDPR, users don’t have to buy, install and manage a mobile application, you can receive 2FA pins on any device, and most importantly, it’s secure because unlike text/SMS messages, no apps or viruses on a mobile device have access to emails. Can an email account be compromised? It’s not an argument because any channel can be compromised.

Cloudflare API key is not exposed anywhere except the Cloudflare add-on admin page. Only the website admin has access to the Cloudflare API key. And yes, it is saved as is in an unencrypted way because Cloudflare servers accept API keys in an unencrypted form.

Going with that logic: A compromised email account, one that let’s say *doesn’t* have MFA enabled on it (because the User read somewhere on a security blog that it was ‘the most reliable’) would then be the ultimate keys-to-the-kingdom for this security plugin? Am I understanding that correctly? *Especially* when you combine plugging-in the Cloudflare Global API Key with the add-on; I just checked and your the Cloudflare GLOBAL API key is totally exposed in the clear to the User and in the database!

Stumbling upon that comment from nearly a year ago legitimately makes me re-think my on-going subscription.

Yikes.

Before you can enable 2FA for the administrator role, you have to complete one successful login with 2FA enabled for any other role on the website.

Can you please answer why the “Two-factor authentication” setting for Administrators is un-clickable/non-configurable in the free version of Cerber?

This is weird and confusing because this option it’s working for all other user roles, but not for administrators. I only want to enable 2FA for administrators and right now I can’t do that. I want to choose the “Always enabled” option, not the “Advanced mode”, so it should be available in the free version, right? Is this a bug and if so can you fix it?